zephyr: Add support for embedded AES key

de-nordic · de-nordic · commit 882fb1f1465d · 2025-10-29T15:03:48.000Z
The commit provides Kconfig options that allow to configure
MCUboot to use embedded AES key. Primary option is
CONFIG_BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY that allows to select
usage of embedded key in the code.
After it follow sets of Kconfigs:
 - CONFIG_BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER
 - CONFIG_BOOT_ENCRYPT_IMAGE_USE_CUSTOM_KEY_PROVIDER

The above set allows to select source of the key. The first option
will choose to generate default key provider, with a single
embedded key, where the key is provided as a string assigned to
CONFIG_BOOOT_ENCRYPT_IMAGE_EMBEDDED_RAW_KEY.
The second option selects user provided code as source of key(s).

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -393,57 +393,59 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "")
 endif()
 
 if(CONFIG_BOOT_ENCRYPTION_KEY_FILE AND NOT CONFIG_BOOT_ENCRYPTION_KEY_FILE STREQUAL "")
-  # CONF_FILE points to the KConfig configuration files of the bootloader.
-  unset(CONF_DIR)
-  foreach(filepath ${CONF_FILE})
-    file(READ ${filepath} temp_text)
-    string(FIND "${temp_text}" ${CONFIG_BOOT_ENCRYPTION_KEY_FILE} match)
-    if(${match} GREATER_EQUAL 0)
-      if(NOT DEFINED CONF_DIR)
-        get_filename_component(CONF_DIR ${filepath} DIRECTORY)
-      else()
-        message(FATAL_ERROR "Encryption key file defined in multiple conf files")
+  if(NOT CONFIG_BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY)
+    # CONF_FILE points to the KConfig configuration files of the bootloader.
+    unset(CONF_DIR)
+    foreach(filepath ${CONF_FILE})
+      file(READ ${filepath} temp_text)
+      string(FIND "${temp_text}" ${CONFIG_BOOT_ENCRYPTION_KEY_FILE} match)
+      if(${match} GREATER_EQUAL 0)
+        if(NOT DEFINED CONF_DIR)
+          get_filename_component(CONF_DIR ${filepath} DIRECTORY)
+        else()
+          message(FATAL_ERROR "Encryption key file defined in multiple conf files")
+        endif()
       endif()
-    endif()
-  endforeach()
+    endforeach()
 
-  if(IS_ABSOLUTE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-    set(KEY_FILE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-  elseif((DEFINED CONF_DIR) AND
-	 (EXISTS ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}))
-    set(KEY_FILE ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-  else()
-    set(KEY_FILE ${MCUBOOT_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-  endif()
-  message("MCUBoot bootloader encryption key file: ${KEY_FILE}")
+    if(IS_ABSOLUTE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+      set(KEY_FILE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+    elseif((DEFINED CONF_DIR) AND
+           (EXISTS ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}))
+      set(KEY_FILE ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+    else()
+      set(KEY_FILE ${MCUBOOT_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+    endif()
+    message("MCUBoot bootloader encryption key file: ${KEY_FILE}")
+
+    # Emit a warning if using one of the default MCUboot key files
+    set(mcuboot_default_encryption_files
+        ${MCUBOOT_DIR}/enc-ec256-priv.pem
+        ${MCUBOOT_DIR}/enc-ec256-pub.pem
+        ${MCUBOOT_DIR}/enc-rsa2048-priv.pem
+        ${MCUBOOT_DIR}/enc-rsa2048-pub.pem
+        ${MCUBOOT_DIR}/enc-x25519-priv.pem
+        ${MCUBOOT_DIR}/enc-x25519-pub.pem
+    )
 
-  # Emit a warning if using one of the default MCUboot key files
-  set(mcuboot_default_encryption_files
-      ${MCUBOOT_DIR}/enc-ec256-priv.pem
-      ${MCUBOOT_DIR}/enc-ec256-pub.pem
-      ${MCUBOOT_DIR}/enc-rsa2048-priv.pem
-      ${MCUBOOT_DIR}/enc-rsa2048-pub.pem
-      ${MCUBOOT_DIR}/enc-x25519-priv.pem
-      ${MCUBOOT_DIR}/enc-x25519-pub.pem
-  )
+    if(${KEY_FILE} IN_LIST mcuboot_default_encryption_files)
+      message(WARNING "WARNING: Using default MCUboot encryption key file, this file is for debug use only and is not secure!")
+    endif()
 
-  if(${KEY_FILE} IN_LIST mcuboot_default_encryption_files)
-    message(WARNING "WARNING: Using default MCUboot encryption key file, this file is for debug use only and is not secure!")
+    set(GENERATED_ENCKEY ${ZEPHYR_BINARY_DIR}/autogen-enckey.c)
+    add_custom_command(
+      OUTPUT ${GENERATED_ENCKEY}
+      COMMAND
+      ${PYTHON_EXECUTABLE}
+      ${MCUBOOT_DIR}/scripts/imgtool.py
+      getpriv
+      -k
+      ${KEY_FILE}
+      > ${GENERATED_ENCKEY}
+      DEPENDS ${KEY_FILE}
+      )
+    zephyr_library_sources(${GENERATED_ENCKEY})
   endif()
-
-  set(GENERATED_ENCKEY ${ZEPHYR_BINARY_DIR}/autogen-enckey.c)
-  add_custom_command(
-    OUTPUT ${GENERATED_ENCKEY}
-    COMMAND
-    ${PYTHON_EXECUTABLE}
-    ${MCUBOOT_DIR}/scripts/imgtool.py
-    getpriv
-    -k
-    ${KEY_FILE}
-    > ${GENERATED_ENCKEY}
-    DEPENDS ${KEY_FILE}
-    )
-  zephyr_library_sources(${GENERATED_ENCKEY})
 endif()
 
 if(CONFIG_MCUBOOT_CLEANUP_ARM_CORE)
@@ -731,3 +733,18 @@ if(SYSBUILD)
   set(mcuboot_image_footer_size ${required_size} CACHE INTERNAL "Estimated MCUboot image trailer size" FORCE)
   set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE)
 endif()
+
+if(${CONFIG_BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER})
+    # Need to generate single key provider source, from template.
+    # Take provided key, in form of a string and make it into C array, BOOT_AES_RAW_KEY_HEX_ARRAY,
+    # of byte size hex values.
+    set(BOOT_AES_RAW_KEY_HEX_STRING ${BOOT_ENCRYPT_IMAGE_EMBEDDED_RAW_KEY})
+    string(REGEX REPLACE "(..)" "0x\\1, " BOOT_AES_RAW_KEY_HEX_ARRAY "${BOOT_AES_RAW_KEY_HEX_STRING}")
+
+    # The tamplate references BOOT_AES_RAW_KEY_HEX_ARRAY where it expects the array to be substituted.
+    set(OUTPUT_BOOT_AES_RAW_KEY_SRC ${ZEPHYR_BINARY_DIR}/mcuboot_generated/builtin_aes_key_provider.c)
+    configure_file(templates/single_builtin_aes_key_provider.c.template ${OUTPUT_BOOT_AES_RAW_KEY_SRC} @ONLY)
+
+    # Add generated source file to build
+    zephyr_library_sources(${OUTPUT_BOOT_AES_RAW_KEY_SRC})
+endif()
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -94,6 +94,8 @@ config BOOT_ED25519_PSA_DEPENDENCIES
 
 if BOOT_ENCRYPT_IMAGE
 
+if !BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+
 config BOOT_X25519_PSA_DEPENDENCIES
 	bool
 	select PSA_WANT_ALG_ECDH
@@ -111,6 +113,8 @@ config BOOT_X25519_PSA_DEPENDENCIES
 	  to use with it; the others are used for shared key decryption
 	  and derivation.
 
+endif # !BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+
 endif # BOOT_ENCRYPT_IMAGE
 
 config BOOT_ECDSA_PSA_DEPENDENCIES
@@ -359,7 +363,7 @@ config BOOT_ED25519_PSA
 	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
 	select BOOT_IMG_HASH_ALG_SHA512_ALLOW
 	select BOOT_ED25519_PSA_DEPENDENCIES
-	select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE
+	select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE_WITH_SHARED_KEY
 
 endchoice
 
@@ -595,7 +599,8 @@ config BOOT_BOOTSTRAP
 
 config BOOT_SWAP_SAVE_ENCTLV
 	bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
-	depends on BOOT_ENCRYPT_IMAGE
+	depends on BOOT_ENCRYPT_IMAGE_WITH_SHARED_KEY
+	depends on !BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
 	help
 	  If y, instead of saving the encrypted image keys in plaintext in the
 	  swap resume metadata, save the encrypted image TLVs. This should be used
@@ -663,12 +668,62 @@ config BOOT_ENCRYPTION_SUPPORT
 	help
 	  Hidden option used to check if image encryption is supported.
 
-config BOOT_ENCRYPT_IMAGE
-	bool "Support for encrypted image updates"
-	depends on BOOT_ENCRYPTION_SUPPORT
+config BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+	bool "Use key that is already on board with MCUboot"
+	depends on BOOT_ENCRYPT_IMAGE
+	help
+	  The key is supposed to be either compiled in or on board.
+	  User is responsible for providing boot_enc_take_key
+	  function that will be able to retrieve the key.
+
+if BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+
+choice  BOOT_ENCRYPT_IMAGE_EMBEDDED_KEY_PROVIDER
+	prompt "Embedded AES key provider"
+	default BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER
+
+config BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER
+	bool "Generate basic boot_enc_take_key"
+	depends on BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+	help
+	  Basic implementation of boot_enc_take_key will be implemented,
+	  that will have single key built in, used for all images and
+	  slots.
+
+config BOOT_ENCRYPT_IMAGE_USE_CUSTOM_KEY_PROVIDER
+	bool "User provides source code for key provider"
+        help
+          User is required to provide implementation for
+          the boot_enc_take_key function.
+
+endchoice # BOOT_ENCRYPT_IMAGE_EMBEDDED_KEY_PROVIDER
+
+config BOOT_ENCRYPT_IMAGE_EMBEDDED_RAW_KEY
+	string "Hexadecimal string representing AES key"
+	depends on BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER
+	help
+	  AES key in form of hexadecimal string that will be used to
+          generate boot_enc_take_key function, returning the key for
+          decryption and encryption of image.
+	  The key character length should be the double of expected
+	  AES key length in bytes.
+
+endif # BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+
+config BOOT_ENCRYPT_IMAGE_WITH_SHARED_KEY
+	bool
+	default y if !BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+	depends on BOOT_ENCRYPT_IMAGE
 	select BOOT_ENCRYPT_RSA if BOOT_SIGNATURE_TYPE_RSA
 	select BOOT_ENCRYPT_EC256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
 	select BOOT_ENCRYPT_X25519 if BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  Hidden option for default behaviour where AES encryption key
+	  is derived from Public Key Cryptography key exchange.
+
+config BOOT_ENCRYPT_IMAGE
+	bool "Support for encrypted image updates"
+	depends on BOOT_ENCRYPTION_SUPPORT
 	depends on !SINGLE_APPLICATION_SLOT || MCUBOOT_SERIAL
 	help
 	  If y, images in the secondary slot can be encrypted and are decrypted
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -151,6 +151,11 @@
 #define MCUBOOT_USE_TLV_ALLOW_LIST 1
 #endif
 
+#ifdef CONFIG_BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY
+#define MCUBOOT_ENC_IMAGES
+#define MCUBOOT_EMBEDDED_ENC_KEY
+#endif
+
 #ifdef CONFIG_BOOT_ENCRYPT_RSA
 #define MCUBOOT_ENC_IMAGES
 #define MCUBOOT_ENCRYPT_RSA
diff --git a/boot/zephyr/templates/single_builtin_aes_key_provider.c.template b/boot/zephyr/templates/single_builtin_aes_key_provider.c.template
@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ */
+
+#include <stddef.h>
+#include <stdbool.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mcuboot_config/mcuboot_config.h"
+#include "bootutil/enc_key.h"
+
+int boot_take_enc_key(uint8_t *key, int image, int slot)
+{
+    const unsigned char array[] = {
+        @BOOT_AES_RAW_KEY_HEX_ARRAY@
+    };
+
+    memcpy(key, array, sizeof(array));
+
+    return 0;
+}
